Could one of your compliance officers, whistleblower hotline or due diligence vendor employees, internal audit employees or even a member of your board of directors be anonymously funneling information about a Foreign Corrupt Practices Act (“FCPA”) problem at your company to the U.S. Securities and Exchange Commission (“SEC”) in the hopes of triggering a huge enforcement action and earning a multi-million dollar bounty? 

The whistleblower bounty provisions of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) have received a lot of press.  As most readers likely already know, the provisions entitle qualified whistleblowers to collect 10 percent to 30 percent of securities law enforcement recoveries by government enforcers, under certain circumstances.  Most readers also probably know that violations of the accounting provisions of the FCPA can qualify as violations of the “securities laws.”  One aspect of the bounty program has gone largely unnoticed; however, even persons who owe your company fiduciary duties to detect and combat fraud and corruption can be eligible for lucrative Dodd-Frank whistleblowing bounties.

In August 2011, the SEC’s final rules relating to whistleblower awards under Dodd-Frank went into force.  Under the final rules, a whistleblower has no duty to inform the company before making a report to the SEC.  If a whistleblower chooses to report a violation internally, the whistleblower must report the violation to the SEC within 120 days from the date of the internal report to be eligible for a monetary award.[i]  Indeed, the FAQ webpage for the SEC’s Office of the Whistleblower explicitly advises visitors that to be eligible for an award, they must promptly report the violation to the SEC even if they have already reported the violation through their company’s internal compliance channels.  While persons who have a fiduciary duty to report violations to the company are initially excluded from qualifying as a whistleblower, once 120 days have elapsed since an officer (including a compliance officer), director, trustee or partner informed the company’s audit committee, chief legal officer, or chief compliance officer, a person with a fiduciary duty may become a whistleblower eligible for a bounty – even if he or she received the information from another person.[ii]

The result: a whistleblower – even a compliance officer, auditor, board member or officer – can anonymously report a securities law violation to the SEC.  He or she can then wait to see if any enforcement action occurs and if so, whether the cash bounty will be worth any hurt feelings that may occur back at the office.  Considering that numerous FCPA enforcement actions have exceeded US$100 million, the potential to recover tens of millions of dollars in a bounty may motivate even highly-compensated individuals to become SEC whistleblowers.  

What About Requiring Our Key Personnel and Vendors to Sign Confidentiality Agreements?

It is unlawful for companies to contractually or otherwise forbid the making of reports to the SEC.  Dodd-Frank further enhances protections for whistleblowers against workplace retaliation. Dodd-Frank whistleblowers may make their reports anonymously through counsel; a whistleblower must reveal his or her identity to the SEC before receiving the bounty, but this can occur after the enforcement action result has been announced.

Does Dodd-Frank Apply to Your Company?

Companies based outside of the U.S. may not be aware of the massive financial incentive that their most trusted employees have to swiftly report FCPA problems straight to U.S. SEC enforcers. Dodd-Frank applies to companies that qualify as “issuers” under U.S. law, including companies organized outside the U.S. that have American depositary receipts. 

How Can A Company Reduce the Risk That Internal Investigation and Self-Disclosure Opportunities Are Short-Circuited by Trusted Employees Reporting Directly to the SEC?

Two things can reduce the risk that a fiduciary short-circuits your company’s internal compliance efforts by going straight to the SEC: the attorney-client privilege and a swift, privileged investigative response.

  1. Privilege – To be eligible for a bounty, a whistleblower must provide the SEC with “original information.”  Critically, the SEC will not treat information covered by the attorney-client privilege as “original information,” assuming the information does not fall within narrow exceptions.[iii]  Accordingly, it is important to recognize that the work of a company’s internal auditors and other employees and vendors may be covered by the U.S. attorney-client privilege or work product doctrine only if their work is undertaken at the direction of counsel acting in a legal role.  Because information covered by the attorney-client privilege is not “original information” eligible for an award, companies should involve counsel as early as possible when there is a report of a violation of U.S. securities laws (including the FCPA).  If you allow information about a potential problem to be gathered by employees or vendors that are not acting at the direction of counsel, your company may be funding fact-finding that one of your own investigators (or others who learn of their findings) can report directly to the SEC.

Because many in-house counsel often act in multiple roles (i.e., legal, compliance, and business), it is much safer for companies to rely on outside counsel to avoid ambiguity as to whether a whistleblower investigation is cloaked in the attorney-client privilege and work product doctrine. Given the increasing prevalence of enforcement actions by multiple jurisdictions, involving outside counsel is also important where the company may have a nexus with non-U.S. jurisdictions that do not recognize the privilege for in-house counsel.

  1. A Swift Investigation – If a person has internally reported a securities law violation, they cannot be eligible for a whistleblower bounty if they fail to convey the information to the SEC within 120 days of the internal report.  Moreover, 120 days after the internal report, even those with fiduciary responsibilities to the company can become eligible for bounties for reporting non-privileged information to the SEC (even information conveyed to them by others) if they are not otherwise ineligible.  Thus, to preserve the company’s ability to self-disclose any potential violations, it can be critical that the company determine as many facts as possible within 120 days of the first internal report.  While completing a thorough investigation within 120 days is very unlikely in most circumstances, the more facts that can be determined at an early stage, the better.


To better achieve these two key goals, make sure your company has an updated response plan. Developing a response plan before a crisis will not only reduce the risk of your investigative efforts being short-circuited by your own trusted personnel directly reporting investigative results to the SEC before the company can act; it also can help reduce the actual costs of the investigation. Retention and deployment of outside global and local foreign investigations counsel (and other key services) are likely to be less costly if done pre-crisis rather than on an urgent basis and in the absence of prior contingency planning. 

Takeaway: Your most trusted compliance personnel are likely the individuals best-positioned to be Dodd-Frank whistleblowers. Aside from perhaps the general counsel, who knows more about potential problems at your company than your compliance staff, HR staff, whistleblower/ethics line vendor, due diligence vendor, public auditor, ombudsman, internal audit staff, officers and board of directors? 

If you don’t already have a rapid response plan, develop and implement one now so that at the first sign of a problem you can initiate a proper (and more cost-effective) internal investigation that is clearly protected by the attorney-client privilege. The earlier that your company can transition from the discovery or gathering of non-privileged “original information” by potential whistleblowers to a well-coordinated, privileged internal investigation, the more likely your company will be able to receive key facts and make pro-active decisions ahead of a government investigation. If your company has a real problem, the last thing you need is a member of your fact-finding or leadership team reporting information to the SEC before the company has had an opportunity to properly consider preliminary investigation results.